Reassuring our community about the recent CircleCI security alert

You may have heard of a recent security alert at CircleCI. We want to reassure our community that we have no reason to believe that any user data has been accessed, or is at risk, because of this incident.

What is CircleCI? 

CircleCI lets teams build fully-automated pipelines, from testing to deployment. Engineers can use CircleCI to automate some of their processes, which reduces the chance for human error.

Do we use CircleCI?

Yes, our Digital Products team uses CircleCI to run tests and tasks for some of the CoderDojo sites.

What have we done in response?

We have been carefully observing the investigation into the incident. We have followed CircleCI’s guidance that out of an abundance of caution, any secrets or SSH keys stored in CircleCI should be deleted, and new ones generated. 

SSH (secure shell) keys are a pair of public and private keys that are used to authenticate and establish an encrypted communication channel between a client and a remote machine over the internet. In this case, they are used to perform code deployments. We have deleted all SSH keys that were stored in CircleCI and generated completely new ones. 

Do I need to do anything?

No, there is nothing you need to do. We have no reason to believe that any user data has been accessed, or is at risk, because of this incident at CircleCI.

If you are interested in learning more about encryption, you can take our Introduction to Encryption and Cryptography course for free over two weeks, by selecting the “Limited access” option on FutureLearn.